Why Code Signing Matters
Code signing is the process of digitally signing software to verify its authenticity and integrity. For enterprises, code signing is essential for:
- Trust: Users and systems can verify software comes from a trusted source
- Integrity: Detect if code has been tampered with
- Compliance: Meet regulatory requirements for software distribution
- Security: Prevent malware injection into the software supply chain
The Risk of Unsigned Code
Without proper code signing:
- Operating systems display security warnings
- Enterprise software deployment is blocked
- App stores reject submissions
- Supply chain attacks go undetected
Types of Code Signing Certificates
Standard Code Signing
- Signs executables, DLLs, drivers
- Private key stored on developer machines
- Suitable for internal or limited distribution
EV Code Signing
- Extended Validation with hardware key requirement
- Private key must be on HSM or hardware token
- Immediate SmartScreen reputation for new publishers
- Required for Windows kernel-mode drivers
Apple Code Signing
- Developer ID for macOS distribution
- iOS distribution certificates
- Mac Installer certificates
- Notarization requirements
Java Code Signing
- JAR signing for Java applications
- Applet signing (legacy)
- Android APK signing
Enterprise Code Signing Architecture
Centralized Signing Service
Implement a centralized signing infrastructure:
- Signing Server: Dedicated secure server for signing operations
- HSM Integration: Hardware Security Module for key protection
- API Interface: RESTful API for CI/CD integration
- Audit Logging: Complete audit trail of all signing operations
- Access Control: Role-based access to signing keys
CI/CD Integration
Integrate code signing into build pipelines:
# Example GitHub Actions workflow - name: Sign Windows Executable uses: tigertrust/code-signing-action@v1 with: api-key: ${{ secrets.TIGERTRUST_API_KEY }} file-path: build/myapp.exe certificate-name: production-signing-cert timestamp-url: http://timestamp.digicert.com
Key Management
Secure key management is critical:
HSM Requirements
- FIPS 140-2 Level 2 or higher
- Physical tamper protection
- Access control and audit logging
- Key backup and recovery procedures
Key Hierarchy
- Root signing keys (offline, highest security)
- Intermediate/issuing keys (operational use)
- Team or project-specific keys (delegated authority)
Code Signing Best Practices
Protect Private Keys
- Never store private keys on developer machines
- Use HSMs for all production signing keys
- Implement strong access controls
- Regular key rotation (annually or per major version)
Implement Timestamping
Always timestamp signatures:
signtool sign /sha1 THUMBPRINT /tr http://timestamp.digicert.com /td sha256 /fd sha256 myapp.exe
Benefits of timestamping:
- Signatures remain valid after certificate expires
- Long-term verification of signed code
- Compliance requirement for many use cases
Use Strong Algorithms
- SHA-256 or higher for hashing
- RSA 2048-bit minimum, 4096-bit recommended
- ECDSA P-256 or P-384 for modern implementations
Separate Keys by Purpose
- Development/test signing keys
- Production signing keys
- Different keys per product or team
- Separate keys for different platforms
Code Signing Workflow
Development Phase
- Developers build and test locally
- Internal builds signed with development certificate
- QA validation on signed development builds
Pre-Release
- Build artifacts from clean environment
- Security scan before signing
- Approval workflow for production signing
- Sign with production certificate
- Notarize for Apple platforms
Distribution
- Verify signatures before distribution
- Store signed artifacts securely
- Distribute through authorized channels
- Monitor for certificate revocation
Platform-Specific Considerations
Windows Code Signing
# Sign with signtool signtool sign /sha1 THUMBPRINT /tr http://timestamp.digicert.com /td sha256 /fd sha256 myapp.exe # Verify signature signtool verify /pa /v myapp.exe
macOS Code Signing
# Sign application codesign --deep --force --verify --verbose --sign "Developer ID Application: Company Name" MyApp.app # Notarize for distribution xcrun notarytool submit MyApp.dmg --keychain-profile "notarization" --wait # Staple notarization ticket xcrun stapler staple MyApp.dmg
Linux Code Signing
# GPG signing gpg --armor --detach-sign myapp.tar.gz # Verify gpg --verify myapp.tar.gz.asc myapp.tar.gz
Compliance and Audit
Audit Trail Requirements
Maintain records of:
- Every signing operation (who, what, when)
- Key usage and access
- Certificate lifecycle events
- Policy violations and exceptions
Compliance Standards
Code signing supports compliance with:
- PCI DSS: Secure software development
- SOC 2: Change management controls
- FDA 21 CFR Part 11: Electronic signatures for medical devices
- ISO 27001: Information security management
Incident Response
Certificate Compromise
If a signing certificate is compromised:
- Immediately revoke the certificate
- Identify all software signed with compromised key
- Resign with new certificate
- Notify affected customers
- Conduct root cause analysis
Malware Signed with Valid Certificate
If malware is discovered signed with your certificate:
- Investigate how signing occurred
- Revoke certificate if necessary
- Review access controls and logs
- Implement additional safeguards
Conclusion
Enterprise code signing certificates are essential for secure software distribution and supply chain security. By implementing centralized signing infrastructure, proper key management, and robust CI/CD integration, organizations can ensure their software is trusted and secure.
TigerTrust provides enterprise code signing capabilities as part of our comprehensive certificate lifecycle management platform, including HSM integration, CI/CD automation, and complete audit logging.